Microchip logo
  • All
  • Products
  • Documents
  • Applications Notes

How to Report Potential Product Security Vulnerabilities

Never say never when it comes to security. While implementing good security practices contributes significantly to the protection of information, credentials, intellectual property or assets, there is no perfect solution to make a system or product impossible to attack. Since the security of our products is of critical importance to us and our customers, we take any reports of potential security vulnerabilities seriously.

The Microchip Product Security Incident Response Team (PSIRT) is responsible for receiving and responding to reports of potential security vulnerabilities in our products, as well as in any related hardware, software, firmware, and tools. Once a report is received, the PSIRT will take the necessary steps to review the issue and determine what actions might be required to address any potential impacts to our products.

Follow These Steps to Report a Potential Security Vulnerability

Send an email in English only to psirt@microchip.com and include as much information as possible:

  • Your contact information
  • Product name with any version or revision numbers
  • Name of the person who found the vulnerability
  • Date when the vulnerability was detected and details about how it was discovered
  • Detailed technical description of the potential vulnerability
  • Detailed description of potential exploits
  • A Common Vulnerability Scoring System (CVSS) score if possible

Due to the sensitive nature of the information being exchanged, the Microchip PSIRT highly recommends that all security vulnerability reports are encrypted using the Microchip PSIRT PGP/GPG key before being submitted:

  • Fingerprint: 37F360C867D9307734F9F347F6E69F3437D74775
  • Public Key File (3 KB)

Use these links to access free software to read and author PGP/GPG encrypted messages:

How Microchip’s PSIRT Responds to Reports

Microchip’s PSIRT will use the following steps to respond to report of a potential security vulnerability:

  1. Notification: Microchip receives the report and acknowledges the receipt of the information
  2. Review: Microchip reviews the information provided to determine if a Microchip product is indeed affected and if there is sufficient data in the report to begin an investigation
  3. Analysis: Once all the necessary information is received, Microchip does an in-depth technical investigation into the reported potential vulnerability
    1. Microchip also uses CVSS v3.1 to score the vulnerability so that it is prioritized for analysis and remediation
    2. A CVE ID may also be created if necessary
  4. Corrective actions: If the security vulnerability is verified, Microchip takes the appropriate actions for remediation of the issue
  5. Disclosure: Microchip communicates information about the verified vulnerability where appropriate and may make details about the remediation actions available in a security advisory or a bulletin

Our Responsible Disclosure Policy

Microchip PSIRT follows a coordinated vulnerability responsible disclosure policy that you should review before you submit a report. It is based on the CERT® Guide to Coordinated Vulnerability Disclosure, and it describes the nature of the expectations and relationship between Microchip and you.

Media Inquiries

If you are a member of the media, please send any inquiries you may have regarding the security of Microchip products to PR@microchip.com.